1

I am able to access sql server azure from my .net core application running in app service by using AAD authentication. To be able to do so it was necessary to register user assigned managed identity in sql server and it was done by following steps in this article . In addition, it was necessary to specify AzureServicesAuthConnectionString (RunAs=App;AppId=c5309486-960d-46f4-bbea-XXX) to allow applicaiton code to request authentication token from Azure token provider, more info here

Now I am trying to migrate my application into AKS cluster. I am following instructions from https://www.cloudiqtech.com/implementing-azure-ad-pod-identity-in-aks-cluster/ to install Azure identity into cluster by using kubernetess application https://github.com/Azure/aad-pod-identity After all configuration was created, I also added AzureServicesAuthConnectionString to config map but the application fails with the following message :

An error occurred seeding the DB.

System.AggregateException: One or more errors occurred. (Parameters: Connection String: RunAs=App;AppId=a349660d-cbfd-45fc-a917-XXX, Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. The operation was canceled.)

---> Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App;AppId=a349660d-cbfd-45fc-a917-XXX, Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. The operation was canceled.

at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAuthResultAsyncImpl(String resource, String authority, Boolean forceRefresh, CancellationToken cancellationToken)

at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAccessTokenAsync(String resource, String tenantId, Boolean forceRefresh, CancellationToken cancellationToken)

--- End of inner exception stack trace ---

at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)

at System.Threading.Tasks.Task`1.get_Result()

at MvcMovie.DataAccess.MovieContext..ctor(DbContextOptions`1 options)

at MvcMovie.DataAccess.SeedData.Initialize(IServiceProvider serviceProvider)

at MvcMovie.Program.Main(String[] args)

Alexey Auslender
  • 402
  • 5
  • 18

1 Answers1

-1

From AAD Pod Identity for Kubernetes documentation: AKS and aks-engine clusters require an identity to communicate with Azure. This identity can be either a managed identity (in the form of system-assigned identity or user-assigned identity) or a service principal. This section explains various role assignments that need to be performed before using AAD Pod Identity. Without the proper role assignments, your Azure cluster will not have the correct permission to assign and un-assign identities from the underlying virtual machines (VM) or virtual machine scale sets (VMSS).

I was missing the following role assignemt to the cluster system assigned managed identity:"Managed Identity Operator", "Virtual Machine Contributor"

In addition the user assigned managed identity that accesses data bases needs to be created within the same resource group that AKS cluster was created in.

Alexey Auslender
  • 402
  • 5
  • 18